[itdiscuss] Firewalls

Kevin Brunson kevinb at highergroundtech.com
Wed Nov 12 11:24:14 EST 2008 

Derek
Was your X700 running WSM or Fireware?  I agree with everything you said, assuming you are talking about WSM.  Fireware has been rock-solid for me.

We have 2 X750e firewalls we use inhouse, one at our office and one at our co-lo, both running Fireware Pro.  They each have upwards of 40 site-to-site VPNs on them, connecting to other watchguard edge and core firewalls, sonicwalls, ciscos, and even a Linksys or 2.  We have VOIP going across VPNs with no issues.  One of my firewalls has current up-time of over 9 months, and it is under heavy stress, with 7 of the 8 ports in use, multiple internet connections, static routes, and a tremendously complicated ruleset.

WSM did require reboots for some config changes.  I don't know why.  But the X700 is almost at end-of-life now, and everything they currently sell has Fireware, which only requires reboots for firmware upgrades.

Fireware supports SSL VPN, which is about the easiest VPN app I have ever used.  All it asks for is URL, username and password.  It does the rest.  It is similar to almost every SSL VPN client I have ever seen.  Theirs is based on OpenVPN

As you see from my previous message, I 100% agree on the edge units.  Uptime on those is pretty sad, and they start doing really strange things if they are not rebooted.

From: discuss-bounces at itdiscuss.org [mailto:discuss-bounces at itdiscuss.org] On Behalf Of Derek Schwab
Sent: Wednesday, November 12, 2008 10:04 AM
To: IT Discussion Forum
Subject: Re: [itdiscuss] Firewalls

Cisco has an application that connects to the firewall and gives you real-time monitoring.  It's included with all of their firewalls.  Sonicwall's Viewpoint app is really nice, probably one of the best monitoring apps out there, but it's not real time.

As far as watchguard goes:


 1.  I think their management program is a huge pain to deal with. Yes, it's nice to be able to edit a config offline and upload it, but do I really need a clunky program to do that?  I can do the same thing with my Cisco config files in about ¼ the time.
 2.  Certain changes, liking moving an IP from the WAN to DMZ in transparent mode require a reboot.  Why? There's no reason any change other than a firmware upgrade should require a reboot.
 3.  We have an X700 (currently in the process of being taken out of service) that randomly stops passing certain types of traffic - most commonly FTP is seems. This requires a reboot to fix.
 4.  Their client VPN app is horrible. It never worked reliably for us and was a big pain to configure and use.  I'll give bonus points to Sonicwall here, they have a really nice VPN client. Cisco's is still the best, IMO, though.
 5.  Site to site VPN is really flakey. We used it for a while for some teleworkers with the "Edge" boxes at their homes. Tunnels would bounce up and down all the time. Their phones were pretty much unusable due to that.
 6.  The Edge units lock up and have to be rebooted about once a month.  We had 4 of them in service, and a couple of different models and they all did it.  The Core series seems to go about 3-4 months between lock ups, but it has to be rebooted periodically.

I've worked with several different firewall vendors and have never had so many issues with a single product line.

-Derek

________________________________
From: discuss-bounces at itdiscuss.org [mailto:discuss-bounces at itdiscuss.org] On Behalf Of Jeffrey Thompson
Sent: Wednesday, November 12, 2008 10:34 AM
To: IT Discussion Forum
Subject: Re: [itdiscuss] Firewalls

Actually I think an application gives you real time monitoring that can't be accomplished any other way.  I actually think that having the Watchguard Monitor and Admin as an application is a plus and not a negative.  I also would be curious to know what qualifies Watchguard as "one of the worst firewalls out there".

On Nov 12, 2008, at 10:33 AM, Kevin Brunson wrote:

Wow, really?  Worst firewall out there?  Just because it has separate management software or is there some operational reason?


From: discuss-bounces at itdiscuss.org<mailto:discuss-bounces at itdiscuss.org> [mailto:discuss-bounces at itdiscuss.org] On Behalf Of Derek Schwab
Sent: Wednesday, November 12, 2008 9:18 AM
To: IT Discussion Forum
Subject: Re: [itdiscuss] Firewalls

Watchguard still works the same way. In my opinion, that has got to be one of the worst firewalls out there.

Sonicwall isn't bad and I would say it's great for a small office environment. Sonicwall definitely doesn't seem to be an enterprise-ready device. I've been using them over 6 years at a previous job and at some clients I do consulting work for now. I must say that the stability and reliability leaves a lot to be desired.

Juniper - Never personally used them, but know several people who have and have heard good things.  Saw someone mention pricing on Juniper - their pricing isn't that bad - in the same neighborhood as Sonicwall, actually a little cheaper last time I looked.

I'm personally a big fan of the Cisco ASA series.  They are rock solid, relatively easy to use, and one of the cheaper options out there. If you compare the initial purchase price and yearly support cost of an ASA 5510 to the other equivalent boxes from other vendors (watchguard x700 or Sonicwall 3060), the Cisco is actually SIGNIFICANTLY less expensive, which is just the opposite of what you might expect from them.

-Derek

________________________________
From: discuss-bounces at itdiscuss.org<mailto:discuss-bounces at itdiscuss.org> [mailto:discuss-bounces at itdiscuss.org] On Behalf Of blloyd at buskercom.com<mailto:blloyd at buskercom.com>
Sent: Wednesday, November 12, 2008 10:09 AM
To: discuss at itdiscuss.org<mailto:discuss at itdiscuss.org>
Subject: Re: [itdiscuss] Firewalls

I'm working to replace an old Watchguard that is no longer supported.  The main thing I don't like about it is that you have to load software on a PC to manage the configuration.  I would much rather just login to the device itself.  Have they changed that at all?



Bill Lloyd
IT Manager
<image001.jpg>

2567 Athens Hwy.
Gainesville, GA 30507
Phone: 770-417-1604
Fax:     770-417-1747
Cell:     404-379-6963

blloyd at buskercom.com<mailto:blloyd at buskercom.com>
This email and any accompanying attachments may contain confidential and proprietary information. If you are not the intended recipient, you are requested to delete this entire communication immediately. Emails cannot be guaranteed to be secure or free of errors or viruses. The sender does not accept any liability or responsibility for any problems that may result from emails you receive.
From: discuss-bounces at itdiscuss.org<mailto:discuss-bounces at itdiscuss.org> [mailto:discuss-bounces at itdiscuss.org] On Behalf Of Jeffrey Thompson
Sent: Wednesday, November 12, 2008 9:58 AM
To: IT Discussion Forum
Subject: Re: [itdiscuss] Firewalls

Watchguard has done well for network firewall and web filter for me.

On Nov 12, 2008, at 9:32 AM, Lee, Jason wrote:

I think I would disappoint those around CITRT (Mainly Justin Moore) if I didn't say Sonicwall's lineup has been rock solid and cost effective for us.

- jason

_______________________________________________
it discuss mailing list: discuss at itdiscuss.org<mailto:discuss at itdiscuss.org>
Mailing List: http://itdiscuss.org/discuss
Web Discussion Board: http://itdiscuss.org/discuss-forum
Wiki: http://itdiscuss.org/wiki
Internet Relay Chat: irc://irc.freenode.net/citrt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://optimus.thompsonic.com/pipermail/discuss/attachments/20081112/f9153689/attachment-0001.htm

More information about the discuss mailing list